Monday, September 29, 2008

I wonder if you could import a Google bidness time calendar. Otherwise, it sounds like it would be just too much effort tracking events across all the silos ( well at least for me, probably not so much an issue for my typical readers).

I expect the invitations to 'join my network' would have a similar success rate to existing modalities.

Two Topeka-based scientists of the Login Dynamics Laboratory have announced that they have discovered the gene responsible for 'Login Paralysis syndrome' - a neuromuscular condition first identified in lab rats but more and more common amongst the human web-surfing population. When confronted by confusing Web login UI, those affected by the gene suffer symptoms such as catatonia, excessive sweating, and twitching of the mouse hand.

According to the research, the fault is in the gene of the protein kinase A of chromosome 17. The mutation increases the quantity of cortisol in the blood, this increased cortisol resulting in the typical symptoms when patients face non-intuitive user interfaces for logging in to Web sites.

"It's a horrible condition, absolutely debilitating", said Eugene Swan, PR Director for the Laboratory. "Suffererers can't do their online banking, make online purchases, or, God help them, even update their Twitter status. We thought we had a handle on it, but then federated identity comes along and numbers of patients just explode. We now think that these high numbers of patients have always been there, we just weren't aware of the full extent of the problem because the gene doesn't manifest itself fully till those patients try to decipher some of the user interfaces for federated log-in."

When asked about the prevalence of the anomalous gene amongst the population, head researcher Dr Adam Ventner responded 'Oh, it's 100%. Everybody has it. Except the Inuit, we're not sure why'.

Friday, September 26, 2008

Today's identity reality has users pay a large up-front cost (in their effort) when establishing a relationship with an SP, the value of that relationship only to be (hopefully) realized in the future. Kinda like front-loading in mutual funds (but without bailouts). Users have to decide too early, and based on insufficient data, whether a relationship will be net positive at some point.

Federated (in the inclusive sense) models can enable a cost curve that more closely matches the expected/hoped for value curve.

The up-front costs are minimized relative to today's model.

The relationship may still go sour (or prove of little value), but the user won't have invested as much sweat equity in it.

Your financial advisor will of course make their commission either way.

Thursday, September 25, 2008

As I go about my day, I often see things that make me think 'I should complain about that to someone'. Subsequently, with a decreased ire level, I almost always forget about the issue and never actually send the complaint.

But how can people improve if they don't know how they are disappointing me?

In hindsight, perhaps I should not have been surprised that maintaining a list on the fridge for the 'household' category of complaints was not strategic. So why can I not track my complaints online? Existing services are too geared towards consumers, but the things that irritate me cover all aspects of life.

Until such time as there is an online service, here is the first cut at a list by which I will track my undelivered complaints.

the kid who is delivering the weekly community newspaper is leaving the plastic bundle ties on the street

lackadaisical 'clicking' from readers of this blog has ensured that my Adsense revenue has yet to make a trip south possible.

I have to walk through clouds of employee smoke to get into the local grocery store.

nobody passes to me when I play hockey. How can I reach my goal-scoring potential without the puck?

the drive through at the Tim Horton's is covered in litter

As the above complaints are delivered, I will cross them off the list (I guess I can already delete #2 ...).

Wednesday, September 24, 2008

It was gratifying to see George echo (in the sense of saying the same thing, but later) on the OpenID list the same concern I expressed for Google's proposed RP UI model for federated login.

I didn't find the Google response on the OpenID list particularly convincing - essentially that if the user does mistakenly give their IDP password to the RP, then the RP can just alert the user to this, and so teach them proper behaviour.

Warning: it seems that you have mistakenly provided us with your AOL password. When logging in to Buy.com through your AOL.com account, you should only present this password to AOL. To reinforce this lesson, please provide the following additional identity attributes in order to allow us to chastise you more completely.

I'm down to actively managing my social network in only 3 places - LinkedIn, Facebook, and Plaxo. It's fun and exciting to watch them battle it out.

I've mentally categorized the 3 different networks as, respectively

where I connect to people that I might at some point in the future ask for a job

where I connect to people who take photos, mistakenly think I care about their taste in music, and constantly update their statuses (stati?), and

the annoying 3rd one that I wish would go away

I expect that everybody has an 'SNS I'd lose if I could', (SILIIC) i.e. a network they are forced to maintain, not by choice based on their own criteria for functionality and value, but rather through the social pressure exerted on them through invites from that network. I'd love to lose Plaxo, but fear doing so because, in deleting the account, I might lose a connection maintained there and only there.

So, the problem isn't that there are toomany social networks, but rather that there is no standardized mechanism by which 2 users can determine whether they share a SILIIC and could therefore safely drop it from their list.

If everybody were to list their social networks in a ranked metadata format, bots could crawl the links and suggest a path towards simplification, e.g. "You and Bob have both listed LinkedIn as your preferred SNS, you can safely ditch Plaxo."

This model allows users to continue to actively manage their social network in duplicate places (which they clearly enjoy) but keeps this number manageable, i.e. approximately 4-5.

I went to my optometrist/optician to pick-up my prescription, with the intent of using it to buy contact lens online.

I was fully prepared to do battle over who owned the prescription, expecting some resistance from them to enabling my shopping around. A little bit of Googling Canadian Privacy Law, a couple of all-nighters writing up my argument, and I was ready.

In the end however, clearly sensing my determination and preparedness, they caved immediately - handing it over without even a token protest.

In failure of doing this, you will Automatically lose your YahooMail Account.

Thanks for using YahooMail

VERIFY YOUR YAHOOMAIL ACCOUNT NOW TO AVOID IT BEING CLOSE!!!

Dear Sarah Palin,

This message is from YahooMail message center to all YahooMail account owners and premium account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused YahooMail account to create more space for new accounts.

To prevent your account from closing, you will have to verify it below before One (1) week from now!

Andy, this is somewhat embarrassing but I'm wondering if, in your new role, you might put in a good word for me with my local librarian in regards to some fines? I really thought I had returned the books. Thanks in advance.

Fortunately, even though they are confused, nearly all users did enter their E-mail address and clicked the login button. As long as they do that, it does not matter whether they chose Yes or No in the UI, nor does it matter whether they typed a password.

If a user enters an @aol.com email address, they may feel it appropriate to enter their AOL password into the Buy.com UI.

Saturday, September 20, 2008

Thursday, September 18, 2008

Pardon me for not having the pleasure of knowing your
mindset before making you this offer and it is utterly
confidential and genuine by virtue of its nature.I write to solicit your
assistance in a funds transfer deal involving US$3.5M.This
fund has been stashed out of the excess profit made last year by my
branch office the International Commercial Bank which I am
the

Monday, September 15, 2008

Google's demo page for their SAML-based SSO does not yet reflect whatever fix they've implemented to address this vulnerability.

You can tell because the generated <Response> still doesn't include an InResponseTo attribute.

Of course, it is not Google that actually creates the <Response> message, they consume it. It is the partner IDPs that create the response (which, if they use Google's reference implementation of SAML won't avail themselves of the mechanisms SAML provides to scope an assertion to the intended audience.)

I wonder how the Google SP would deal with a <Response&g; from a conformant implementation?

The necessary conditions for the attack are not quite as simple as I first imagined

Now, any other SP offering the very same SAML SSO solution as Google and attractive enough to convince the AI-Lab to include one of its remote services (e.g. free access to online scientific books) is able to mount the above attack and thus to impersonate any user of the AI-Lab IdP that accesses its resources at any Google Application.

So, the attacker has to set themselves up as a SAML SP (using Google's library) and then convince a good IdP to send some assertions its way with (as Conor points out and Jeff castigates him for) a name identifier within that Google wll recognize (and not expect only to see coming from the good IDP).

Related, Andreaslists SAML messages from a variety of implementations.

I just listened to a story on CBC Radio about some Canadians who refused to fill out the 2006 Census, and are now facing the consequences of going against the Statistics Act.

Every person who, without lawful excuse,(a) refuses or neglects to answer, or wilfully answers falsely, any question requisite for obtaining any information sought in respect of the objects of this Act or pertinent thereto that has been asked of him by any person employed or deemed to be employed under this Act, or

(b) refuses or neglects to furnish any information or to fill in to the best of his knowledge and belief any schedule or form that the person has been required to fill in, and to return the same when and as required of him pursuant to this Act, or knowingly gives false or misleading information or practises any other deception thereunder

is, for every refusal or neglect, or false answer or deception, guilty of an offence and liable on summary conviction to a fine not exceeding five hundred dollars or to imprisonment for a term not exceeding three months or to both. 1970-71-72, c. 15, s. 29.

For one of the accused interviewed by the CBC, the concerns were privacy (i.e. why are you asking me, what will you do with it, etc). The Liberty Alliance's Identity Governance Framework would allow StatsCan to answer these sorts of questions in a machine readable manner (perhaps relevant if more people object).

But we'd probably need to define a 'purpose' URI for

"whatever we feel like, we're the government dummy!"

For the other refusnik, the objection was moral. StatsCan had hired Lockheed Martin to create the program for processing the 2006 data and the accused felt he could not in good conscience support sending Canadian tax dollars to a (US-based) weapons manufacturer.

Myself, whenever I feel the urge to 'push the envelope' and break out of my 'comfort prison', I just click on a link in a manifestly phishy email to see where it takes me. Or even reuse a password. Once I ignored a browser warning about an untrusted cert.

Sunday, September 14, 2008

I explained that sometimes the actual security measures (e.g. steel-toed boots etc) applied were less important than understanding the risk profile created by whatever measures are in place, and then acting accordingly (e.g. keeping my feet well back, always pushing and never pulling, putting my drink down when starting the engine etc).

She was unconvinced but - let's be honest, she's not the security expert in the family right?

The emergency room doctor on the other hand seemed far more impressed with the principle.

I am happy to announce that, due to the unparalled lack of interest in the previous match, organizers have decided to put on the '2nd Annual Liberty Alliance Tokyo Cup', to be held following the November Liberty Alliance meetings in Tokyo Japan.

The match will take place Thursday November 6th. The location will not be announced till match day, to keep down the riff raff and papparazi.

Acknowledging that any football pitch sized piece of land in downtown Tokyo already has 6-7 office buildings and a temple, organizers have decided that the game will be a futsal match. Futsal is a fast-paced 5-a-side indoor variation of football, known for its exciting foot-work, quick passing and attractive referees.

Futsal has quickly become very popular amongst SAML & Liberty proponents. Fans of other football variations point to the fact that the rules run to 72 pages as a representative of the complexity and bloat of futsal, and advocate simpler alternatives. Indeed, games such as 'balancing on one foot' and 'standing around staring at each other' are very popular in some locales - typically those without the resources to buy balls, goal nets and other equipment.

Work is under way to reconcile these differences. Proponents of the various Somewhat Silly Football Variations (SSFV) recognize that, unless the community can present to the market a cohesive & integrated approach to SSFV , the viewing public will look elsewhere for entertainment, leaving the door open for competing sports - such as Somewhat Silly Cricket Variations (SSCV) like baseball. And nobody wants that to happen.

Organizers of the Liberty Tokyo match have announced a strict drug & alcohol policy, namely that all participants MUST partake in one or the other - either during or directly following the match. Random urine testing of all participants is expected (beginning as of today).

Conor "One-Sock" Cahill, when asked whether he would be participating, responded 'Only if I can get an upgrade to First. Currently, I'm booked in business on a Triple 7 in from SFO, but I'm trying to switch that because I'm in seat 4A and I hate that seat because the power plug is about 2 inches too high and I have to unbuckle my seatbelt to reach it. I generally like 3F but the window shade was broken last time and the sun woke me up, even though I had taken my Ambien.'

Thursday, September 11, 2008

Notwithstanding my general level of scorn for Twitter, I do see its value when used to indirectly compliment me, as with Nishant's coverage of the DIDW panel I participated in with Mary Ruddy and Patrick Harding.

Conversation at the end of the session was the liveliest of any keynote/session I attended so far

The 'liveliness' that Nishant refers to pleased the presenters as well.

Should I ever be propositioned by an attractive lady (not the one with whom I cohabitate), I plan on using the above phrase to decline.

I would then follow up with an overview of Bob's relationship paradigm for identity. I expect that a 10-15 minute powerpoint presentation discussing the subtleties of relationship types, actors, and life cycle would both dampen any remnant ardor (I know it does for myself) and mitigate any embarassment the lady would be feeling at the rejection.

I do feel it's best to prepare for all eventualities - even those with no historical precedent.

In his DIDW presentation, Conor showed how Cardspace's security characteristics could be enhanced if underpinned by the Intel Identity Capable Platform.

In the demo, a strong authentication token (one stored in a secure region of the client) was issued by the IdP & provisioned into the client - this happening in a session based on a username/password authentication.

So, a strong credential hinged off a weak credential.

Conor acknowledged the perverseness of this - if you issue a credential that purports to give greater assurance than a password, you shouldn't do based solely on a password authenticated session - in practice you would need to supplement the password authentication with extra security, e.g. challenge questions, or something out of band etc.

To use an analogy (certain to spike my readership, even if only till the US political process spits out some other triviality to focus on) you can put lipstick on a pig, but all you'll end up with is a cosmetically enhanced porker.

Similarly, you can plaster on the lipstick of strong authentication like Tammy Faye but, if you are smearing it onto a pig of an identity proofing procesess, you'll still be eating the bacon of low assurance ...

English (and I venture all other languages) provides a range of mechanisms for its speakers by which they can pose a request of another in such a manner that both participant's face is protected. (By 'face' I mean that nebulous attribute that people have when they are not being embarrassed or their status is being diminished.)

For instance, 'Can I ask you you to pass the milk?'.

Because the speaker hasn't actually asked the listener for the milk, merely for permission to do so, their face need not automatically be impacted if the milk is not passed (by a presumably 'lactose intolerant' dining mate)- they can just pretend that that they didn't even really want the milk. 'Milk, who wants milk, not me!'.

And from the listener's PoV, their face is protected if they DO pass the milk - as the request was phrased so indirectly and not as a command, they won't appear to be a subservient flunky if they send the pitcher down the table.

I'd argue that, by this definition, the SAML protocol is rude, and WS-Federation is polite. A SAML RP comes right and and demands of the IdP that the user be authenticated with the <saml:AuthnRequest> message; a WS-Trust requestor, (who wants the same thing, poses their query in a more roundabout and indirect manner by asking for a token with the <wst:RequestSecurityToken>.

This is of course mere coincidence - I know some very polite SAML contributors, and some (well one) quite rude WS-Federation contributor.

Friday, September 05, 2008

In a comment, Axel asks how I will deal with claim conversion - his claim in metric, my policy expressed in Imperial.

I have an assertion from my government IdP that says that I am over 1,8 meters tall. Does the Concordia RP accept claims in meters per se or do you have an RP-STS that converts meter-claims to inch-claims. I fear that my assertion gets rejected.

-Axel

Axel, before we deal with prosaic matters such as 'units', we must confront the unfortunate reality of the 'assurance hurdle'. Gerry's recent posts gives me little reason to ascribe much assurance to a German IdP's assertions these days.

Might you be able to obtain a height claim from a Canadian IdP? They are generally accepted everywhere in the world (although admittedly they have been weakening lately against US height claims)

My 6yr old daughter, on hearing that she would have 'Computer Lab' in Grade 1, in a voice filled with trepidation that cut straight to her Father's heart

'Will we haf' to log-on?'

I fully understand that you can't protect them from everything. But no 6yr old child should be exposed to credential management! She can barely write her name! How is she supposed to use Post-Its? And how hard would it be run a dictionary attack on words that rhyme with 'cat'?

I'm sorry Sweetie, yes you will. But hang in there, things are changing.

Thursday, September 04, 2008

Lawyer1: Good morning ladies, please have a seat.
Lawyer2: Thank you. Can we get to the point, I have a tee time in 50 minutes..
Lawyer1: Of course, I'm playing later as well. My client is interested in exploring the possibility of adding your client to his Plaxo Contacts. At this point we are just considering our options of course.....
Lawyer2: (sighs) Oh, so that's it...
Lawyer1: Pardon me? My client is a 'Big Name' in identity. I would have thought it would be quite a coup for your client to be added ...
Lawyer2: Well, my client gets quite alot of these sorts of invites. And many are, well let's just say, a little bit self-serving.
Client1: Self-serving! What's that supposed to mean? I don't host my own blog, I use .....
Lawyer1: (whispering to his client) Please! I'll do the talking .... (too other lawyer) Self-serving?
Lawyer2: Look, I'm sure your client is reasonably popular but let's be honest - mine is in a different league. I can show you her blog's numbers if you want. And so the value of any social connection would be highly skewed towards your client. Bottom line, what's in it for us?
Lawyer1: Skewed! You have got to be kidding. My client is very hooked-in, I mean, he even has an iName..
Lawyer2: And that impresses me how? That and 4 bucks will get me a Starbucks.
Client1: (indignantly) I'll have you know that iNames are built on XRI and are the future ...
Lawyer1: (under his breath to client) PLEASE!
Lawyer1: Forget the iName thing. But my client does twit - that has to be worth something.
Lawyer2: Do you mean tweets? Big deal, my garbageman tweets.
Lawyer1: OK, OK, lets take the tweeting thing off the table and talk numbers. I am authorized to offer the following - if your client accepts the invitation to connect, my client will link to 10 of your client's blog posts over the next 6 months.
Lawyer2: 20 posts.
Lawyer1: I can only go up to 15.
Lawyer2: (to client) OK, we're out of here, I think I can still make my tee time.
Lawyer1: OK, OK, 20 posts.
Lawyer2: And the link test has to be positive & approving. We'd want to see things like 'rare insight' or 'a wonderful wrap-up' etc.
Lawyer1: Sure sure, we'll have the associates work out a list of approved phrases later. But of course my client will want to maintain his 'blogging integrity'.
(all laugh)
Lawyer1: (still chuckling) So, are we getting close to a deal here?
Lawyer2: Yeah, send the draft invite over and we'll look it over and send back our changes.
Lawyer1: Perfect. You know, coincidentally I think you represent a Facebook friend of another client of mine that is trying to end their relationship.
Lawyer2: Could be. Those are always messy drawn out affairs - (under her breath to other lawyer) Lots of billables.
(both smile)